In February, the PCI SSC announced that an inherent weakness in the SSL version 3.0 protocol has deemed it “no longer acceptable for protection of data”, as we reported in a blog post.
The follow-up statement dated 25 March 2015 confirms the following:
- “The changes impact all requirements in the PCI DSS and PA-DSS that reference SSL as an example of “strong cryptography”. Specifically: PCI DSS Requirements 2.2.3, 2.3 and 4.1; and PA-DSS Requirements 6.2, 8.2, 11.1 and 12.1-12.2
- “All PCI DSS and PA-DSS v3.0 documentation will be affected, including: SelfAssessment Questionnaires (SAQ), Attestation of Compliance (AOC), Report on Compliance (ROC), Attestation of Validation (AOV) and Report on Validation (ROV).
- “When published, the revisions will be effective immediately but impacted requirements will have a sunset date to allow for organizations with affected systems to implement the changes.
- “The revised standards will be accompanied by a summary of changes document for each standard, as well as supporting guidance to help clarify the impact of these changes, including interim risk mitigation approaches, migration recommendations and alternative options for strong cryptographic protocols.”
Until the publication of the revisions mentioned above, the PCI SSC “urges organizations to work with your IT departments and/or partners to understand if you are using SSL and determine available options for upgrading to a strong cryptographic protocol as soon as possible.”
Help with PCI compliance
Alternatively, email firstname.lastname@example.org or call us on 0845 070 1750 to discuss your requirements.